apparent keylogger malware infection

Discussion in 'malware problems & news' started by BobLewiston, Jun 2, 2010.

Thread Status:
Not open for further replies.
  1. BobLewiston

    BobLewiston Registered Member

    Joined:
    Jan 25, 2010
    Posts:
    13
    A day or two ago AVAST! AntiVirus warned me I was attempting to access a dangerous website. (I don't remember what website it was.) I took the warning and didn't access the website.

    Later I did a sweep with AVAST! It reported three malware infections. All 3 were of High severity and of the same type (Win32:Malware-gen).

    Two of the infections were within two different copies I had of the GMER executable, one on my main disk (C), and the other on my backup disk (E). These two executables were not actually named gmer.exe because, in order to avoid being impregnated with malware by the forces of evil before these files were even downloaded, those parties who make these files available for download give them random names.

    The third infection was in:

    E:\System Volume Information\_restore {D18642E0-9885-4956-BEC4-09E7EF0136D4}\RP453\A0106921.EXE.

    As this is a hidden directory, I was unaware of its existence on my backup disk. (I had originally obtained this disk drive from a friend.)

    AVAST! successfully quarantined the two infected copies of the GMER executable, but said it could no longer find the third infected file.

    I ran AVAST! again twice, Malwarebytes' Antimalware twice, and SUPERAntiMalware once, in all cases doing complete scans. No malware was found in any of these scans.

    Now PC Tools Firewall Plus has just reported:

    "Office Data Provider for WBEM

    Office Data Provider for WBEM is attempting to monitor and/or intercept NetgearCUv2 MFC Application events. This hook monitors keystroke messages. The hook procedure is associated with all existing threads running in the same desktop as the calling thread.

    Only allow this if you know the application is Safe."

    (Netgear is my wireless network adapter.)

    I of course didn’t allow the application to run.

    Apparently I've got a malware infection, and it's a keylogger (in addition to God knows what else).

    Any help available?
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi, it's possible that the GMER detects by Avast might be FP's. You could upload them seperately to http://www.virustotal.com for multiple testing. Posting the full results are not allowed on here, but you can say how many detects you got, if any. Save the http results links and PM them to me.

    The Netgear hook does sound odd though.

    I would do a System Restore to a date before all this happened and see if that resolves things.

    If it does then delete any backups on E:\ after that SR.

    Before backup deletion, if you have any important files etc you have made inbetween the time frames, save them separately to a new folder etc, so you can copy/paste etc back in after backup deletion, once you're back to normal.

    Post back with your observations and we'll take it from there.
     
Loading...
Thread Status:
Not open for further replies.